NLP-based approaches for malware classification from API sequences

Tran, Trung; Satō, Hiroshi

doi:10.1109/iesys.2017.8233569

Cited by 42 publications

(6 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The N-gram TF-IDF feature model has been used in cyber security applications such as software vulnerability assessments [47], [48] and cyber threat detection [49], [50], [51], [52]. The authors of [47] used TF-IDF features extracted from bug reports to develop a tool for identifying software bugs.…”

Section: Related Workmentioning

confidence: 99%

“…The authors of [49] extracted TF-IDF features from process logs to build an intrusion detection system for a computer network. The research presented in [50] used TF-IDF features extracted from opcode sequences to classify ransomware families. The authors of [51] and [52] used TF-IDF features extracted from Application Programming Interface (API) call sequences for malware classification.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

A Natural Language Processing Approach for Instruction Set Architecture Identification

Sahabandu¹,

Mertoguno²,

Poovendran³

2022

Preprint

View full text Add to dashboard Cite

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

A Natural Language Processing Approach for Instruction Set Architecture Identification

Sahabandu¹,

Mertoguno²,

Poovendran³

2022

Preprint

View full text Add to dashboard Cite

“…Their method extracts the features from the DLL Import name, assembly code, and hex dump. A similar approach is classifying malware from API sequences with TF-IDF and Paragraph Vector [51]. This method requires dynamic analysis to extract API sequences.…”

Section: Nlp-based Detectionmentioning

confidence: 99%

Applying NLP techniques to malware detection in a practical environment

Mimura

Ito²

2021

Int. J. Inf. Secur.

View full text Add to dashboard Cite

Executable files still remain popular to compromise the endpoint computers. These executable files are often obfuscated to avoid anti-virus programs. To examine all suspicious files from the Internet, dynamic analysis requires too much time. Therefore, a fast filtering method is required. With the recent development of natural language processing (NLP) techniques, printable strings became more effective to detect malware. The combination of the printable strings and NLP techniques can be used as a filtering method. In this paper, we apply NLP techniques to malware detection. This paper reveals that printable strings with NLP techniques are effective for detecting malware in a practical environment. Our dataset consists of more than 500,000 samples obtained from multiple sources. Our experimental results demonstrate that our method is effective to not only subspecies of the existing malware, but also new malware. Our method is effective against packed malware and anti-debugging techniques.

show abstract

“…Taejin et al [27] transformed API calls into some code arrangements and grouped the APIs using n-gram. Tran et al [28] used natural language processing to analyze the API call sequence. They divided the long sequence calls into small chunks using approaches like n-gram.…”

Section: Related Workmentioning

confidence: 99%

Contextual Identification of Windows Malware through Semantic Interpretation of API Call Sequence

Amer

El–Sappagh

2020

Applied Sciences

View full text Add to dashboard Cite

The proper interpretation of the malware API call sequence plays a crucial role in identifying its malicious intent. Moreover, there is a necessity to characterize smart malware mimicry activities that resemble goodware programs. Those types of malware imply further challenges in recognizing their malicious activities. In this paper, we propose a standard and straightforward contextual behavioral models that characterize Windows malware and goodware. We relied on the word embedding to realize the contextual association that may occur between API functions in malware sequences. Our empirical results proved that there is a considerable distinction between malware and goodware call sequences. Based on that distinction, we propose a new method to detect malware that relies on the Markov chain. We also propose a heuristic method that identifies malware’s mimicry activities by tracking the likelihood behavior of a given API call sequence. Experimental results showed that our proposed model outperforms other peer models that rely on API call sequences. Our model returns an average malware detection accuracy of 0.990, with a false positive rate of 0.010. Regarding malware mimicry, our model shows an average noteworthy accuracy of 0.993 in detecting false positives.

show abstract

NLP-based approaches for malware classification from API sequences

Cited by 42 publications

References 7 publications

A Natural Language Processing Approach for Instruction Set Architecture Identification

A Natural Language Processing Approach for Instruction Set Architecture Identification

Applying NLP techniques to malware detection in a practical environment

Contextual Identification of Windows Malware through Semantic Interpretation of API Call Sequence

Contact Info

Product

Resources

About